sys` mount point in Mesos containers should also include `nosuid,noexec,nodev` mount options.

Gavin (JIRA) Mon, 29 Apr 2019 02:31:21 -0700


     [ 
https://issues.apache.org/jira/browse/MESOS-8654?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]


Gavin updated MESOS-8654:
-------------------------
    Comment: was deleted

(was: www.rtat.net)

> The `/proc/sys` mount point in Mesos containers should also include 
> `nosuid,noexec,nodev` mount options.
> --------------------------------------------------------------------------------------------------------
>
>                 Key: MESOS-8654
>                 URL: https://issues.apache.org/jira/browse/MESOS-8654
>             Project: Mesos
>          Issue Type: Bug
>          Components: containerization, security
>            Reporter: Jason Lai
>            Assignee: Jason Lai
>            Priority: Critical
>              Labels: easyfix, patch, security
>             Fix For: 1.6.0
>
>
> After {{/proc/sys}} gets remounted as read-only in a Mesos container, its 
> mount options becomes {{ro,relatime}} only. It needs to share other mount 
> options of {{/proc}}, including {{nosuid,noexec,nodev}} for security reasons.
> Additional questions: shall we also sandbox other important system mount 
> points, like Systemd does with 
> [{{ProtectSystem=}}|https://www.freedesktop.org/software/systemd/man/systemd.exec.html#ProtectSystem=]
>  (or at least 
> [{{ProtectKernelTunables=}}|https://www.freedesktop.org/software/systemd/man/systemd.exec.html#ProtectKernelTunables=])
>  and Docker does with {{docker run}} without {{--privileged}}?



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

[jira] [Issue Comment Deleted] (MESOS-8654) The `/proc/sys` mount point in Mesos containers should also include `nosuid,noexec,nodev` mount options.

Reply via email to